Got it, let’s break down this workflow step by step—this is something I’ve walked through countless times for debugging app API interactions, including TestFlight builds. Here’s exactly what you need to do:

1. Set Up Charles and Your iOS Device for Proxying #

First, get your environment ready so your device routes traffic through Charles:

• Install Charles Proxy on your computer (if you haven’t already). Make sure your iOS device and computer are connected to the same WiFi network.
• Configure Charles Proxy Port: Open Charles, go to Proxy > Proxy Settings. Under the "HTTP Proxy" tab, note the port number (default is 8888) and check "Enable HTTP Proxy".
• Set Up Device Proxy: On your iOS device, go to Settings > WiFi > [Your Network] > Configure Proxy. Select "Manual", then enter your computer’s local IP address (find this in Charles via Help > Local IP Address) and the port number you noted earlier.
• Install and Trust Charles SSL Certificate:
  • On your computer: Go to Help > SSL Proxying > Install Charles Root Certificate, then add it to your system’s trusted certificates (follow OS-specific prompts—for macOS, this means adding it to Keychain Access and setting it to "Always Trust").
  • On your iOS device: Open Safari and navigate to http://chls.pro/ssl, download the certificate, then go to Settings > General > VPN & Device Management to install it. Finally, enable trust for the certificate in Settings > General > About > Certificate Trust Settings.

2. Configure SSL Proxying for Your App’s APIs #

Most modern APIs use HTTPS, so you need to tell Charles to intercept those encrypted requests:

• In Charles, go to Proxy > SSL Proxying Settings.
• Click "Add" to create a new SSL proxy entry. For the "Host" field, enter the domain of your API (e.g., api.your-app.com), and set the "Port" to 443. If you want to intercept all HTTPS traffic (not recommended for clarity), use * for both Host and Port.
• Make sure the "Enable SSL Proxying" checkbox is checked, then save the settings.

3. Capture API Traffic from the TestFlight Build #

Now you’re ready to start sniffing:

• Restart Charles to apply all settings, then open the TestFlight app on your device and launch the build you want to test.
• Perform the actions in the app that trigger API calls (e.g., logging in, loading a feed, submitting data). You’ll see requests start appearing in Charles’ main window.
• Click on any request in the left panel to view details:
  • The "Summary" tab gives an overview of the request/response.
  • The "Request" tab shows headers, query parameters, and request body.
  • The "Response" tab displays the API’s returned data (JSON, XML, etc.).

4. Filter and Analyze the Captured Traffic #

To avoid sifting through irrelevant requests (like app store or ad traffic):

• Use the Filter tool (click the funnel icon in the toolbar) to enter your API domain—this will only show requests to/from that domain.
• Use the Search feature (Edit > Find) to look for specific API endpoints, parameters, or response values.
• Right-click any request and select "Save" to export it as JSON, CSV, or another format for later analysis.

Common Pitfalls to Watch For #

• Certificate Pinning: If your app uses certificate pinning, it will reject Charles’ root certificate, and you won’t see HTTPS traffic. If this is your own app, temporarily disable pinning in the TestFlight build, or add Charles’ certificate to your app’s trusted certificate list. For third-party apps, you may need tools like Frida to bypass pinning (but note this may violate terms of service).
• Proxy Connection Issues: If traffic isn’t showing up, double-check your device’s proxy settings, ensure your computer and device are on the same network, and verify that Charles is allowed through your computer’s firewall.
• TestFlight Build Updates: If you install a new TestFlight build, you may need to recheck proxy settings (though they usually persist unless you reset your device’s network settings).

Content of this question comes from stack exchange, question author Bhupendra Singh Rautela